As a part of a project to automate TLS ceritificates for Azure Application Gateways, I ran into an unexpected issue with Azure Functions and managed identities. Specifically, the tool I was using was attempting to fetch a managed identity token, but wasn’t able to. I had to review the code of the tool, and many pages of documentation to discover that Azure Functions provide environment variables that contain the correct endpoint information which differ ever so slightly from the standard endpoint. ...
SSH Multi-Factor Authentication with SoloKey V2
In a bout of attempting to improve my operational security, I decided to review my current pracitices and see which areas I could improve. While I already use SSH keys for auth, having a file that is essentially a password to all my servers is a bit of a security risk if it ever is compromised. I already use my SoloKey for 2FA on various websites, so why not for SSH too? This way, even if someone gets my private key file, they can’t access my servers without physically having my SoloKey. Still a risk (see the XKCD comic about a $5 wrench), but less so. ...
Gitea Actions: Forget about YAML, let's use Nix
I maintain many repositories using Gitea Actions, and I’ve run into a lot of pipeline failures due to the smallest of issues. Most commonly it is whitespace differences in YAML files that cause unexpected parsing or complete failures. Recently, I was helping someone debug a workflow where a copy and paste from a different workflow brought in spaces for some lines instead of tabs leading to the pipeline to fail. ...
Streamlining My GCP SSH Workflow: Using SSH Configuration Tricks
In my use of Google Cloud Platform (GCP), I often recreate virtual machines (VMs), requiring frequent updates to connection information. This process becomes cumbersome, especially when dealing with stale entries in the known_hosts file and managing DNS entries for a growing number of servers. Additionally, using the Identity-Aware Proxy (IAP) requires the use of the gcloud cli for secure access to these servers adds another layer of complexity. What I ended up doing was to leverage my previous experience with SSH configuration files to streamline my workflow. ...
Use Drone plugins in Gitea Actions
Drone.IO is a CI/CD platform that uses Docker Containers for each pipeline step. This makes it easy to use existing Docker containers as steps in your pipeline. You can go futher and create special containers that are designed to be used as steps in your pipeline that accept arguments from the pipeline to run pre-defined tasks. These plugins can be re-used in Gitea Actions to be able to run the same tasks in Gitea Actions as you would in Drone. ...
Experimenting with Proxmox on Apple Silicon: Turning Your M1 MacBook Air into a Virtual Datacentre
In an effort to create an easy-to-manage VM environment that I can use on the go, even with spotty internet, I decided to try running Proxmox on my Apple Silicon MacBook Air. I could use Parallels or VMware Fusion, but I instead chose Proxmox to support open-source software. Should the need arise to run production-level workloads, I can always purchase a Proxmox license and deploy it on a dedicated server. The challenging part was that Proxmox doesn’t distribute itself for arm64/aarch64, so I needed to find a way how to do that. ...
Bye-bye Docker Hub, time to self-host all of my Docker images
One of the great things about Gitea, is that it comes with a built-in Docker registry. This means that you don’t need to be reliant on Docker Hub (or its rate-limits) to host your docker images, or any other OCI compliant image for that matter. In this post, I’ll go over how I migrated some of my docker images from the Docker Hub to my own self-hosted registry in Gitea. I won’t go over the setup of the package registry in Gitea itself, as it’s enabled by default, and I’d rather focus on the migration of images itself. The approach I took also didn’t use any registry specific tools, and so it can be generalized to most other registries. ...
Let Wireguard clients use your IP Blocks advertised by BGP
As an addendum to my previous post on giving yourself an IPv6 address using wireguard, I wanted to show how, if you are lucky enough to have a IPv4 range before the “great IPv4 exhaustion”, you can assign those addresses to clients using wireguard. Several consumer, prosumer, and enterprise cloud hosts, allow you to advertise your IP range for your cloud servers. Some of these providers are OVH, Vultr, and Equinix Metal, but like last time, I suggest you look into OVH due to their predictable costs around bandwidth, as well you don’t need to configure a BGP connection with them which makes setup much less work. ...
Giving yourself IPv6 with Wireguard
After many years of asking, my Internet Service Provider (ISP) still doesn’t support IPv6; the same goes for many other ISPs. This is a problem for many reasons, the first being the exhaustion of IPv4 addresses, leading some ISPs to implement “Carrier-Grade NAT” (CGN), where many customers share the same address—the second being that it is getting more and more expensive for small websites to have their own dedicated IPv4 addresses, including cloud providers instituting a cost to have an address. The obvious solution would be for all ISPs to start supporting IPv6, but sadly, this requires effort on the part of ISPs, and the problem isn’t known to many of their customers, so the easy path for them is to keep status-quo. ...
Instead of Docker-in-Docker, what about Docker-on-Fly?
In my ever-ending quest to do things that are probably not the best idea that aren’t a part of a usual use-case, I wanted to see if I could run a docker daemon on Fly.io. Even though you can think of Fly.io as a “container”-service hosting platform, it’s actually using Firecracker micro-VMs to run your service. They (“transmogrify”)[https://fly.io/blog/docker-without-docker/] Docker images into the micro-VMs they run. This means, it’s much easier to run a docker daemon, as you don’t need to worry about the implications of running the docker daemon inside of a docker container. ...